Privilege Escalating Bug on WooCommerce Plugin Puts Million Site on Risk

Researcher from Rips tech have demonstrate another critical bug in popular WordPress Plugin, WooCommerce which leads to escalate the role of users to site Administrator.

WooCommerce is an eCommerce plugin for WordPress with over 4 million active installations.

When WooCommerce is installed, the user role Shop manageris added by default. The bug resides EDITOR role of the plugin where malicious attcker (SHOP MANAGER), which can change the CUSTOMER role user to EDITOR role and then can inject malicious JavaScript code into the index page if the target WordPress site.

Evil Shop managers can simply update a random Customer account, set their user role to Editor, update their password and log into their account, which then has Editor privileges. This means they can simply circumvent the HTML restriction and inject arbitrary JavaScript code into the front page.

Now whenever site administrator visit the index page of yhe the site, the stored JavaScript code (inserted by malicious user on front page of site) excute and escalate the role of malicious user to site Administrator.

For proof-of-concept researcher have also published the video demonstration of the bug.

(Note: video has been uploaded by us on behalf of RipsTech)

This bug has been reported to its developer and fix has also been released with version 3.4.6 of WooCommerce Plugin. So we recommend all WooCommerce users to update the version of plugin to fix tge issue, and stay safe.

Researcher from Rips tech have demonstrate another critical bug in popular WordPress Plugin, WooCommerce which leads to escalate the role of users to site Administrator.

WooCommerce is an eCommerce plugin for WordPress with over 4 million active installations.

When WooCommerce is installed, the user role Shop manageris added by default. The bug resides EDITOR role of the plugin where malicious attcker (SHOP MANAGER), which can change the CUSTOMER role user to EDITOR role and then can inject malicious JavaScript code into the index page if the target WordPress site.

Evil Shop managers can simply update a random Customer account, set their user role to Editor, update their password and log into their account, which then has Editor privileges. This means they can simply circumvent the HTML restriction and inject arbitrary JavaScript code into the front page.

Now whenever site administrator visit the index page of yhe the site, the stored JavaScript code (inserted by malicious user on front page of site) excute and escalate the role of malicious user to site Administrator.

For proof-of-concept researcher have also published the video demonstration of the bug.

(Note: video has been uploaded by us on behalf of RipsTech)

This bug has been reported to its developer and fix has also been released with version 3.4.6 of WooCommerce Plugin. So we recommend all WooCommerce users to update the version of plugin to fix tge issue, and stay safe.